On Tue, Jun 21, 2022 at 7:51 PM <[email protected]> wrote:
> > Hi. > > During a meeting today of ROW (https://regiops.net), the I-D on CDS > bootstrapping by using a DNSSEC-signed name at name server zone ( > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/) > was discussed. > In that discussion, it was mentioned that the current draft only supports > out-of-bailiwick name servers; I replied that the same principle could be > applied to in-bailiwick name server by usage of the reverse DNS zones for > IPv4 and IPv6. > > Even if that is true, why bother? The whole point of the bootstrap mechanism is to onboard the *initial* DS record for a particular domain securely. Once the initial DS is present, there is no further need for bootstrap. For a single domain, the only purpose of doing what you propose for a "vanity" name server name, is to accomplish a one-shot action. The use of some (any) third party DNS operator whose infrastructure zone(s) is/are signed, for the purposes of doing the bootstrap, followed by migrating the signed zone to another set of name servers securely (e.g. via the multi-signer mechanisms, or via setting the zone up as a signed AXFR from a hidden master), would achieve the same result without any new proposals or implementations required. That would be two steps instead of one, but only at the time of the initial DS. Once that DS is onboard at the parent domain, the bootstrap operator is no longer involved. Even if procuring the services from a DNS operator costs a small amount for the time it takes to do the bootstrap and migration, knowing that it works and is secure, and does not require any work on implementing something that is never going to be reused, would seem to be a small price to pay. You may even have friends operating their own signed zones, via which you can bootstrap this way for free. Brian
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
